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Abstract 


In  this  report,  we  describe  a  severe  Mobile  Ad  Hoc  Network  (MANET)  routing  attack 
called  a  wormhole  attack  and  review  state-of-the-art  ways  to  thwart  wormhole  attacks. 

In  a  wormhole  attack,  intruders  tunnel  the  data  from  one  end  of  the  network  to  the 
other,  leading  distant  network  nodes  to  believe  they  arc  neighbours  and  making  them 
communicate  through  the  wormhole  link.  Unlike  many  other  attacks  on  ad  hoc  routing, 
a  wormhole  attack  can  not  be  prevented  with  cryptographic  solutions  because  intruders 
neither  generate  new,  nor  modify  existing,  packets,  but  rather  forward  existing  ones. 


Resume 


Dans  le  present  rapport,  nous  decrivons  V  attaque  par  tunnel  ver,  soit  une  grave  attaque 
liee  a  Tacheminement  dans  le  reseau  ad  hoc  mobile  (MANET).  Nous  y  offrons  aussi 
des  methodes  perfectionnees  pour  la  contrer. 

Dans  une  attaque  par  tunnel  ver,  les  intrus  accedent  aux  donnees  par  effet  tunnel  d’une 
extremite  a  1’ autre  du  reseau,  ce  qui  laisse  croire  aux  nuds  reseau  distants  que  les  intrus 
sont  voisins.  Ceux-ci  communiquent  alors  grce  a  la  liaison  par  tunnel  ver. 
Contrairement  a  de  nombreuses  autres  attaques  menees  contre  un  acheminement 
special,  une  attaque  par  tunnel  ver  ne  peut  etre  prevenue  au  moyen  de  solutions  de 
chiffrement,  car  les  intrus  ne  generent  pas  de  nouveaux  paquets  ni  ne  modilient  ceux 
existants.  En  effet,  ils  transmettent  plutot  les  paquets  existants. 
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Executive  summary 


Attacks,  such  as  the  wormhole  attack  described  in  this  work,  can  be  launched  without 
regal'd  for  most  network  encryption  and  authentication  techniques.  For  MANETs,  the 
dynamic  membership  and  topology,  as  well  as  its  open  medium,  make  it  vulnerable  to 
wormhole  attacks  and  make  detection  difficult. 

The  majority  of  researchers  working  in  this  area  tty  to  prevent  wormholes  by 
distance-bounding  techniques  that  allow  nodes  to  determine  whether  the  node  they 
receive  a  message  from  is  close  to  them.  These  distance-bounding  techniques  can  be 
based  on  geographical  information,  directional  antennas,  or  on  message  traveling  time 
information.  Although  such  techniques  are  analytically  sound,  they  generally  require 
specialized  hardware  and  may  not  be  presently  practical.  Among  them,  GPS-based 
solutions  are  the  most  promising. 

A  number  of  researchers  have  proposed  to  treat  wormholes  as  misbehaving  links.  Such 
approaches,  however,  do  not  deal  with  wormholes  that  are  created  for  reasons  other 
than  packet  flow  disruption,  and  do  not  fully  address  the  wormhole  attack  problem. 
Finally,  several  researcher  proposed  different  specialized  wormhole  detection 
techniques  aimed  at  specific  networks,  such  as  sensor  network  visualization,  or 
abnormal  link  frequency  in  multipath  on-demand  routing.  Such  techniques,  although 
limited  in  scope,  do  add  to  the  body  of  knowledge  in  the  wormhole  attack  prevention 
area. 

Overall,  while  a  number  of  techniques  have  been  proposed  to  combat  wormhole 
attacks,  an  easy,  standard,  lightweight,  versatile,  and  general  solution  is  still  lacking. 
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Sommaire 


Les  attaques,  comme  l’attaque  par  tunnel  ver  qui  est  decrite  dans  le  present  travail, 
peuvent  tre  lances  sans  egard  a  la  plupart  des  techniques  de  chiffrement  et 
d’authentification  en  vigueur.  Le  MANET  ou  reseau  ad  hoc  mobile,  du  fait  de  sa 
composition  dynamique  et  de  sa  topologie  ainsi  que  de  son  architecture  ouverte,  est 
vulnerable  aux  attaques  par  tunnel  ver.  Par  ailleurs,  il  est  difficile  d’y  detecter  pareilles 
attaques. 

Les  chercheurs  uvrant  dans  ce  domaine  tentent  pour  la  plupart  de  prvenir  les  tunnels 
ver  grce  a  des  techniques  de  delimitation  des  distances.  Celles-ci  permettent  aux  nuds 
de  dterminer  si  le  nud  duquel  ils  reoivent  un  message  se  trouve  pre  s  d’eux.  Ces 
techniques  peuvent  tre  fondees  sur  de  l'information  geographique,  des  antennes 
directives  ou  la  duree  en  transit  des  messages.  Malgre  que  ces  techniques  permettent  de 
proceder  a  une  analyse  approfondie,  elles  exigent  en  general  du  materiel  specialise  et 
peuvent  ne  pas  s’averer  pratiques  actuellement.  Par  mi  ces  techniques,  les  solutions 
fondees  GPS  donnent,  par  ailleurs,  les  resultats  les  plus  prometteurs. 

Un  certain  nombre  de  chercheurs  ont  propose  de  traiter  les  tunnels  ver  comme  des  liens 
au  comportement  douteux.  Toutefois,  ces  dmarches  ne  permettent  pas  de  couvrir  les 
tunnels  ver  crees  a  d’autres  fins  que  l'interruption  de  paquets.  Aussi,  elles  ne  corrigent 
pas  entirement  le  problme  lie  a  ces  attaques.  Enfin,  plusieurs  chercheurs  ont  suggere 
diverses  techniques  specialises  de  detection  de  tunnels  ver  pour  des  reseaux  prcis.  Ils 
ont  ainsi  mis  de  l’avant  des  solutions  comme  la  visualisation  de  reseaux  de  capteurs  ou 
le  suivi  du  taux  de  liens  anormaux  dans  un  acheminement  sur  demande  chemins 
multiples.  De  telles  techniques,  malgre  que  leur  portee  soit  limitee,  s’ajoutent  a  la  base 
de  connaissances  en  matire  de  prevention  des  attaques  par  tunnel  ver. 

Globalement,  nmie  si  un  certain  nombre  de  techniques  ont  ete  proposees  pour  lutter 
contre  les  attaques  par  tunnel  ver.  il  manque  quand  nmie  a  ce  sujet  une  solution 
generale,  polyvalente,  legere,  standard  et  facile  d’emploi. 
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1.  Introduction 


Mobile  wireless  ad  hoc  networks  arc  a  relatively  new  field  of  research.  Such  networks 
arc  fundamentally  different  from  wired  networks,  as  they  use  wireless  medium  to 
communicate,  do  not  rely  on  fixed  infrastructure,  and  can  arrange  themselves  into  a 
network  quickly  and  efficiently.  In  a  Mobile  Ad  Hoc  Network  (MANET),  each  node 
serves  as  a  router  for  other  nodes,  which  allows  data  to  travel,  utilizing  multi-hop 
network  paths,  beyond  the  line  of  sight  without  relying  on  wired  infrastructure. 

MANETs  arc  particularly  attractive  for  situations  where  deployment  of  infrastructure  is 
costly  or  impossible,  such  as  military  deployments,  emergency  rescue  operations,  and 
short-lived  conference  or  classroom  activities.  Security  of  such  networks,  however,  is  a 
great  concern  [1].  The  open  nature  of  the  wireless  medium  makes  it  easy  for  outsiders 
to  listen  to  network  traffic  or  interfere  with  it.  Lack  of  centralized  control  authority 
makes  deployment  of  traditional  centralized  security  mechanisms  difficult,  if  not 
impossible.  Lack  of  clear  network  entry  points  also  makes  it  difficult  to  implement 
perimeter-based  defence  mechanisms  such  as  firewalls.  Finally,  in  a  MANET  nodes 
might  be  battery-powered  and  might  have  very  limited  resources,  which  may  make  the 
use  of  heavy-weight  security  solutions  undesirable  ([1],  [2],  [3]). 

A  large  number  of  routing  protocols  for  MANETs  have  been  proposed  to  enable  quick 
and  efficient  network  creation  and  restructuring.  However,  common  ad  hoc  routing 
protocols  were  not  designed  with  security  in  mind,  and  assume  trusting  and  cooperative 
environment  [1].  Security  of  MANET  routing  is  an  active  research  area  at  this  time. 

A  research  field  related  to  MANETs  is  sensor  networks,  whose  security  is  also  of  a 
great  interest.  Just  like  ‘full-scale’  MANETs,  sensor  networks  do  not  rely  on  fixed 
infrastructure,  use  wireless  media  to  communicate,  and  serve  as  routers  for  each  other. 
However,  sensor  networks  also  have  peculiarities  not  shared  with  general  MANETs. 
Sensors  arc,  in  general,  extremely  resource-constrained,  and  may  have  shorter 
communication  range.  In  addition,  sensor  networks  are  often  presumed  to  be  dense, 
marginally  (if  at  all)  mobile,  and  be  reporting  to  a  centralized  controller. 


1.1  Wormhole  attack 

A  wormhole  attack  is  a  particularly  severe  attack  on  MANET  routing  where  two 
attackers,  connected  by  a  high-speed  off-channel  link,  arc  strategically  placed  at 
different  ends  of  a  network,  as  shown  in  Figure  1 .  These  attackers  then  record  the 
wireless  data  they  overhear,  forward  it  to  each  other,  and  replay  the  packets  at  the  other 
end  of  the  network.  Replaying  valid  network  messages  at  improper  places,  wormhole 
attackers  can  make  far  apart  nodes  believe  they  arc  immediate  neighbours,  and  force  all 
communications  between  affected  nodes  to  go  through  them. 

In  general,  ad  hoc  routing  protocols  fall  into  two  categories:  proactive  routing 
protocols  that  rely  on  periodic  transmission  of  routing  updates,  and  on-demand  routing 
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High-speed  off-channel  link 


Figure  1:  A  network  under  a  wormhole  attack.  Intruders  A  and  B  are  connected  by  an  off-channel  link  (i.e.  wired  or 
satellite  link),  which  they  use  to  tunnel  network  data  from  one  end  of  the  network  to  the  other.  Without  a  wormhole, 
nodes  7  and  3  are  4  hops  apart,  -  their  messages  to  each  other  should  go  through  nodes  2,  6,  and  5.  When 
intruders  A  and  B  activate  a  wormhole,  nodes  7  and  3  are  able  to  directly  overhear  each  others'  messages,  and  are 
lead  to  believe  they  are  immediate  neighbours.  Once  this  happens,  all  further  communications  between  nodes  3  and 
7  will  be  going  through  the  wormhole  link  introduced  by  A  and  B. 


protocols  that  search  for  routes  only  when  necessary.  A  wormhole  attack  is  equally 
dangerous  for  both  proactive  and  on-demand  protocols  [2]. 

When  a  proactive  routing  protocol,  such  as  Optimized  Link-State  Routing  (OLSR)  [4] 
is  used,  ad  hoc  network  nodes  send  periodic  HELLO  messages  to  each  other  indicating 
their  participation  in  the  network.  In  Figure  1,  when  node  3  sends  a  HELLO  message, 
intruder  A  forwards  it  to  the  other  end  of  the  network,  and  node  7  hears  this  HELLO 
message.  Since  7  can  hear  a  HELLO  message  from  3,  it  assumes  itself  and  node  3  to  be 
direct  neighbours.  Thus,  if  7  wants  to  forward  anything  to  3,  it  will  do  so  through  the 
wormhole  link,  effectively  giving  the  wormhole  attackers  full  control  of  the 
communication  link. 

If  a  network  uses  an  on-demand  routing  protocol,  such  as  Ad-hoc  On-Demand  Vector 
routing  (AODV)  [5],  the  wormhole  is  just  as  effective.  In  on-demand  protocols,  when  a 
node  wants  to  communicate  with  another  node,  it  floods  its  neighbours  with  requests, 
Lying  to  determine  the  shortest  path  to  the  destination.  In  Figure  1 ,  if  3  wants  to 
communicate  with  7,  it  sends  out  a  request,  which  a  wormhole,  once  again,  forwards 
without  change  to  the  other  end  of  the  network,  -  directly  to  node  7.  A  request  also 
travels  along  the  network  in  a  proper  way,  so  7  is  lead  to  believe  it  has  two  possible 
routes  to  node  3:  a  4-hop  route  through  nodes  2,6,and  5,  and  a  single-hop  direct  link. 
Protocols  will  then  select  the  shortest  route,  once  again  giving  wormhole  attackers  full 
control  of  the  link. 
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Majority  of  ad  hoc  routing  protocols  rely  on  the  correctness  of  their  neighbours’ 
information  for  routing  decisions,  thus  allowing  wormhole -induced  disruptions  to  have 
greater  effects.  For  example,  in  the  situation  described  in  Figure  1,  where  nodes  3  and  7 
think  they  arc  direct  neighbours,  nodes  5  and  8  will  then  think  they  arc  two  hops  away 
from  node  3  (going  through  node  7),  and  will  communicate  with  node  3  through  the 
wormhole  link  as  well. 

Once  the  wormhole  attackers  have  control  of  a  link,  they  can  do  a  number  of  things  to 
actively  disrupt  the  network.  Attackers  can  drop  the  packets  their  link  is  supposed  to  be 
forwarding.  They  can  drop  all  packets,  a  random  portion  of  packets,  or  specifically 
targeted  packets1.  Attackers  can  also  forward  packets  out  of  order  or  ‘switch’  their  link 
on  and  off. 

It  should,  however,  be  noted  that  wormholes  arc  dangerous  by  themselves,  even  if 
attackers  are  diligently  forwarding  all  packets  without  any  disruptions,  -  on  some  level, 
providing  a  communication  service  to  the  network.  With  wormholes  in  place,  affected 
network  nodes  do  not  have  a  true  picture  of  the  network,  which  may  disrupt  the 
localization-based  schemes,  lead  to  the  wrong  decisions,  etc.  Wormholes  can  also  be 
used  to  simply  aggregate  a  large  number  of  network  packets  for  the  purpose  of  traffic 
analysis  or  encryption  compromise.  Finally,  a  wormhole  link  is  simply  unreliable,  as 
there  is  no  way  to  predict  what  the  attackers  can  do  and  when.  Simply  put,  the 
wormholes  arc  compromising  network  security  whether  they  arc  actively  disrupting 
routing  or  not. 


2.  Solutions  to  wormhole  attacks 


Routing  security  in  ad  hoc  networks  is  often  equated  with  strong  and  feasible  node 
authentication  and  lightweight  cryptography.  A  wide  variety  of  secure  extensions  to 
existing  routing  protocols  have  been  proposed  over  the  years.  However,  the  majority  of 
these  protocols  arc  focused  on  using  cryptographical  solutions  to  prevent  unauthorized 
nodes  from  creating  seemingly  valid  packets  [1].  Unfortunately,  the  wormhole  attack 
can  not  be  defeated  by  cryptographical  measures,  as  wormhole  attackers  do  not  create 
separate  packets  -  they  simply  replay  packets  already  existing  on  the  network,  which 
pass  all  cryptographic  checks. 

Virtually  all  generalized  secure  extensions  proposed  for  currently  popular  routing 
protocols  do  not  alleviate  wormhole  attacks.  However,  since  wormhole  attack  such  a 
severe  thread  to  ad  hoc  network  security,  several  researchers  have  worked  on 
preventing  or  detecting  wormhole  attacks  specifically.  In  this  section,  we  summarize 
and  discuss  their  efforts.  In  section  2.1,  we  discuss  a  technique  called  ‘packet  leashes’, 
which  allows  to  prevent  packets  from  traveling  fait  her  than  radio  transmission  range. 

'Two  distinct  situations  are  possible  here.  When  no  encryption  is  used,  attackers  know  exactly  what  they  are 
forwarding,  and  can  target  specific  packets.  When  strong  multi-layer  encryption  is  used,  attackers  can  either  drop 
packets  at  random,  or  try  to  figure  out  (based  on  traffic  patterns,  packet  sizes,  etc.)  what  they  are  going  to  drop 
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Section  2.2  talks  about  wormhole  prevention  methods  that  rely  on  round  trip  message 
time  (RTT)  to  ensure  nodes  claiming  to  be  located  close  together  really  are.  In  section 
2.3,  we  discuss  the  work  of  researchers  who,  instead  of  treating  wormholes,  treat  the 
network  disruptions  they  introduce.  Finally,  section  2.4  summarized  other,  more 
specialized  wormhole  detection  or  prevention  techniques  suitable  for  only  particular 
kinds  of  networks. 


2.1  Packet  leashes 

Perhaps  the  most  commonly  cited  wormhole  prevention  mechanism  is  ‘packet  leashes’ 
by  Hu  et  al  ([6],  [7]).  Hu  proposes  to  add  a  secure  ‘leash’  containing  timing  and/or 
Global  Positioning  System  (GPS)  information  to  each  packet  on  a  hop-by-hop  basis. 
Based  on  the  information  contained  in  a  packet  leash,  a  node  receiving  the  packet 
would  be  able  to  determine  whether  the  packet  has  traveled  a  distance  larger  than 
physically  possible. 

Hu  proposes  two  different  kinds  of  leashes:  geographical  leashes  and  temporal 
leashes.  Geographic  leashes  require  each  node  to  have  access  to  up-to-date  GPS 
information,  and  rely  on  loose  (in  the  order  of  ms)  clock  synchronization.  When 
geographical  leashes  arc  used,  a  node  sending  a  packet  appends  to  it  the  time  the  packet 
is  sent  ts  and  its  location  ps.  A  receiving  node  uses  its  own  location  /;,  and  the  time  it 
receives  a  packet  tr  to  determine  the  distance  the  packet  could  have  traveled.  Keeping 
in  mind  maximum  possible  node  velocity  v,  clock  synchronization  error  A,  and  possible 
GPS  distance  error  a,  the  distance  between  the  sender  and  the  receiver  dsr  is 
upper-bounded  by: 


dSr  <  || Ps  ~  Pr\\  +  2 v(tr  —  ts  +  A)  +  <3 


(1) 


Geographical  leashes  should  work  fine  when  GPS  coordinates  are  practical  and 
available.  However,  modern  GPS  technology  has  significant  limitations  that  should  not 
be  overlooked.  While  the  price  of  GPS  devices  is  going  down,  it  remains  substantial. 
Besides,  GPS  is  somewhat  of  a  nuisance  for  personal  laptops.  Also,  while,  as  Hu  [6] 
specifies,  it  is  possible  to  achieve  GPS  precision  of  about  3m  with  state-of-the-art  GPS 
devices,  consumer-level  devices  do  not  get  (and  do  not  require)  this  level  of  resolution. 
Finally,  GPS  systems  arc  not  versatile,  as  GPS  devices  do  not  function  well  inside 
buildings,  under  water,  in  the  presence  of  strong  magnetic  radiation,  etc. 

As  opposed  to  geographical  leashes,  temporal  leashes  require  much  tighter  clock 
synchronization  (in  the  order  of  nanoseconds),  but  do  not  rely  on  GPS  information. 
When  temporal  leashes  are  used,  the  sending  node  specifies  the  time  it  sends  a  packet  ts 
in  a  packet  leash,  and  the  receiving  node  uses  its  own  packet  reception  time  tr  for 
verification  .  In  a  slightly  different  version  of  temporal  packet  leashes,  the  sending  node 
calculates  an  expiration  time  te  after  which  a  packet  should  not  be  accepted,  and  puts 
that  information  in  the  leash.  To  prevent  a  packet  from  traveling  farther  than  distance  L, 
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the  expiration  time  is  set  to: 


L 

te  =  ts  H - A  (2) 

c 

where  c  is  the  speed  of  light  and  A  is  the  maximum  clock  synchronization  error. 

The  level  of  time  synchronization  required  for  temporal  leashes  (on  the  order  of 
nanoseconds)  entails  the  use  of  specialized  hardware  not  currently  practical  in  wireless 
ad  hoc  networks.  In  sensor  networks,  such  levels  of  synchronization  are  impossible  [6] 
at  this  time.  Temporal  packet  leashes  thus  offer  an  elegant  but  not  practical  solution  to 
wormhole  attacks. 

Wang  [8]  proposes  an  approach  inspired  by  packet  leashes  [6],  but  based  on  end-to-end 
location  information,  rather  than  hop-by-hop  leashes  in  [6].  Similar  to  geographic 
packet  leashes,  Wang’s  method  requires  each  node  to  have  access  to  up-to-date  GPS 
information,  and  relies  on  loosely  synchronized  clocks.  In  Wang’s  approach,  each  node 
appends  its  location  and  time  to  a  packet  it  is  forwarding,  and  secures  this  information 
with  an  authentication  code.  The  packet’s  destination  node  then  verifies  the  nodes’ 
coordinates  (i.e.  verifies  that  reported  coordinates  arc  within  the  communication  range) 
and  speeds.  A  minor  disadvantage  of  this  approach  is  that  the  end  node  is  left  to  do  all 
verification.  Just  like  geographical  packet  leashes  proposed  by  Hu,  this  approach 
should  work  fine  where  GPS  coordinates  are  appropriate. 


2.2  Time-of-flight 

Another  set  of  wormhole  prevention  techniques,  somewhat  similar  to  temporal  packet 
leashes  [6],  is  based  on  the  time  of  flight  of  individual  packets.  Wormhole  attacks  arc 
possible  because  an  attacker  can  make  two  far-apart  nodes  see  themselves  as 
neighbours.  One  possible  way  to  prevent  wormholes,  as  used  by  Capkun  et  al  [9],  Hu  et 
al  [10],  Hong  et  al  [11],  and  Korkmaz  [12],  is  to  measure  round-trip  travel  time  of  a 
message  and  its  acknowledgement,  estimate  the  distance  between  the  nodes  based  on 
this  travel  time,  and  determine  whether  the  calculated  distance  is  within  the  maximum 
possible  communication  range. 


The  basis  of  all  these  approaches  is  the  following.  The  Round  Trip  Travel  Time  (RTT) 
5  of  a  message  in  a  wireless  medium  can,  theoretically,  be  related  to  the  distance  d 
between  nodes,  assuming  that  the  wireless  signal  travels  with  a  speed  of  light  c: 


5  = 


2d 

c 


(4) 


The  neighbour  status  of  nodes  is  verified  if  d  is  within  the  radio  transmission  range  R  : 
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R>  d  (d  within  transmission  range)  =>■ 


R> 


5*c 


(5) 


8  < 


2  R 

c 


(6) 


In  essence,  the  use  of  RTT  eliminates  the  need  for  tight  clock  synchronization  required 
in  temporal  leashes:  a  node  only  uses  its  own  clock  to  measure  time.  However,  this 
approach,  while  accounting  for  message  propagation,  completely  ignores  message 
processing  time.  When  a  message  is  sent  by  one  node  and  is  acknowledged  by  another, 
the  time  it  takes  for  a  node  to  process  a  message  and  to  reply  to  it  is  generally 
non-negligible,  particularly  in  the  context  of  bounding  short  distances  using  signals 
whose  speed  is  similar  to  that  of  light  in  vacuum.  After  all,  it  takes  the  light  less  than 
0.2  seconds  to  circle  the  entire  Earth  around  the  equator.  Outstanding  clock  precision 
and  practically  nonexistent  errors  arc  required  to  bound  distances  on  the  order  of 
hundreds  of  meters. 

When  a  de-facto  standard  of  wireless  ad  hoc  networks  802. 1 1  Medium  Access 
Control  (MAC)  protocol  [13]  is  used,  such  calculations  arc  downright  impossible. 

802.1 1  imposes  a  short  wait  time  of  lOps  (SIFS2)  between  the  reception  of  a  packet  and 
sending  of  802.1 1  acknowledgement.  When  802.1 1  is  used,  transmission  range  R  is 
generally  about  300  meters.  The  speed  of  light  c  is  300,000,000  m/second.  Then,  from 
equation  4: 


5  = 


2d 

c 


600  m 

300, 000, 000  m/s 


=  0.000002s  =  2*  10-6 


2 jus 


(V) 


Therefore,  the  RTT  is  an  order  of  magnitude  smaller  than  the  delay  required  by  the 
protocol.  We  could,  of  course,  account  for  this  processing  time  by  modifying  formula  4 
in  the  following  manner: 

5  =—+S  (8) 

c 


where  S  is  SIFS.  However,  note  that  wormhole  attackers  arc  not  limited  by  the  rules  of 
the  network,  and  could,  with  some  ingenuity,  send  their  packets  without 

802.1 1 - imposed  delay  -  thus  breaking  this  type  of  defence  altogether.  On  the  other 
hand,  if  nodes  were  to  use  formula  4  directly,  they  would  have  to  ignore 

802.1 1 - mandated  delays,  thus  breaking  it  altogether.  Hence,  in  order  to  use  the 
approaches  based  on  time  of  flight,  special  arrangements  arc  required. 

2This  wait  time  is  Short  Interframe  Space  (SIFS)  .  The  SIFS  value  depends  on  the  version  of  802.11  protocol. 
802.11a  specifies  SIFS  of  16ps,  802.11b  and  802.  llg  -  10ps[13] 
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Capkun  et  al  [9]  propose  to  use  specialized  hardware  that  enables  fast  sending  of 
one-bit  challenge  messages  without  CPU  involvement,  as  to  minimize  all  possible 
processing  delays.  To  verify  distance  between  the  nodes,  each  node  sends  a  one -bit 
challenge  to  the  nodes  it  ‘encounters’,  and  waits  for  a  response.  A  receiving  node 
immediately  sends  a  single-bit  reply.  While  Capkun’s  use  of  specialized  hardware  is 
somewhat  discouraging,  his  method  is  nonetheless  very  interesting. 

Hu  [10]  proposes  a  mechanism  very  similar  to  Capkun’s  [9],  but  does  not  use  single-bit 
challenge  approach.  Instead,  Hu  relies  round-trip  travel  time  of  full  packets  with  CPU 
involvement,  explicitly  assuming  medium  access  delays  to  be  negligible.  In  addition, 
Hu’s  approach  requires  substantial  processing  of  messages:  upon  the  reception  of  a 
message,  a  node  verifies  the  message  correctness  (i.e.  performs  one  hash  function 
operation)  and  sends  an  authenticated  reply.  Hong  [1 1]  uses  a  mechanism  practically 
identical  to  Hu’s:  upon  reception  of  a  HELLO  packet,  the  receiving  node  sends  a  probe 
to  the  HELLO’s  sender.  When  receiving  a  probe,  a  node  answers  it  immediately3. 

Korkmaz  [12]  studied  in  detail  the  distance-bounding  techniques  described  by  other 
authors.  Korkmaz  found  that  using  round-trip  time  may  lead  to  a  high  percentage  of 
valid  neighbours  being  rejected.  He  noted  that  although  a  wireless  signal  is  akin  to  light 
signal  in  vacuum,  it  is  not  exactly  same,  and  its  speed  is  slower  [12].  He  also  notes  that 
even  small  errors  in  measuring  time  delays  alter  the  distance  measurements 
significantly,  as  we’ve  alluded  to  above. 

Korkmaz  proposes  a  modified  statistical  method  based  on  RTT  8.  He  suggests  using 
two  different  bounds  for  RTT,  one  based  on  the  speed  of  light  c  ( boundC  ==f),  and 
another  based  on  experimentally  determined  speed  of  travel  of  the  wireless  signal  s 
(. bounds  =  =f).  If  RTT  5  is  under  =f-,  the  nodes  are  considered  neighbours.  If  5  is 
larger  than  the  nodes  arc  considered  non- neighbours.  Lor  the  nodes  with  8  in 
between  these  bounds,  Korkmaz  suggests  a  probabilistic  measure  of  ‘neighbourness’. 

In  addition,  Korkmaz  also  proposes  to  use  received  signal  strength  to  verify  the 
‘neighbourness’  determined  from  the  time  of  flight.  In  summary,  Korkmaz ’s  approach 
modifies  and  extends  the  RTT-based  technique  described  above. 

Approaches  based  on  RTT  of  a  packet  arc  similar  in  nature  to  temporal  packet  leashes, 
[7],  but  do  not  require  clock  synchronization  between  nodes.  The  idea  of  these 
approaches  is  very  simple:  wireless  nodes  that  claim  to  be  neighbours  should  be 
physically  close  to  each  other,  and  when  one  node  sends  a  packet  to  another,  the  answer 
should  arrive  very  shortly,  ideally  within  the  amount  of  time  a  wireless  signal  would 
travel  between  the  nodes.  If  there  is  a  wormhole  attacker  involved,  packets  end  up 
traveling  farther,  and  thus  can  not  be  returned  within  a  short  time. 

It  is  intriguing  that  while  Capkun  [9]  proposes  to  use  special  hardware  to  drive  the 
message  processing  time  down,  Hu  [10]  and  Hong  [11]  simply  assume  MAC  delays  to 

3We  have  substantial  concerns  about  originality  Hong's  paper,  but  nonetheless  mention  it  here  for  completeness. 
Hong’s  wormhole  discovery  technique  ([11],  2005)  is  for  all  intents  and  purposes  identical  to  Hu’s  work  published 
two  years  prior  to  2005  ([10],  2003).  Hong,  however,  does  not  acknowledge  or  even  cite  Hu’s  work. 
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be  negligible,  and  claim  the  possibility  of  lightening  fast  message  processing. 

It  would  be  very  interesting  to  see  one  of  these  schemes  implemented  on  a  real-world 
system.  Above,  we  demonstrated  that  RTT-based  approaches  arc  incompatible  with  the 
standard  802. 1 1  MAC  protocol.  Thus,  on  top  of  possibly  requiring  specialized 
hardware,  these  approaches  also  prohibit  the  use  of  the  standard  MAC  protocol,  and, 
overall,  do  not  seem  practical. 


2.3  Wormhole  discovery  from  wormhole’s  effect 

Several  researchers  worked  on  the  wormhole  attack  problem  by  treating  a  wormhole  as 
a  misbehaving  link.  In  such  approaches,  a  wormhole  attack  is  not  specifically 
identified.  Rather,  the  wormhole’s  destructive  behaviour  is  mitigated. 

Baruch  [14]  and  Chigan  [15]  use  link  rating  schemes  to  prevent  blackhole  and 
wormhole  attacks.  They  both  rely  on  authenticated  acknowledgements  of  data  packets 
to  rate  links:  if  a  link  is  dropping  packets,  the  acknowledgements  do  not  get  through, 
link  is  rated  low  and  avoided  in  the  future. 

These  approaches  arc  geared  towards  discovery  and  prevention  of  only  one  kind  of 
wormhole  behaviour:  packet  loss.  Wormholes  can  do  much  more  than  that:  they  can 
send  packets  out  of  order,  confuse  location-based  schemes,  or  simply  aggregate  packets 
for  traffic  analysis.  Even  the  distortion  of  topology  information  that  a  wormhole 
introduce  can  be  a  significant  problem  in  particular  networks.  The  real  problem  with 
the  wormholes  is  that  unauthorized  nodes  (wormhole  attackers)  are  able  to  transmit 
valid  network  messages.  Techniques  based  on  links’  performance  may  be  suitable  in 
certain  cases,  but  they  do  not  fully  address  the  wormhole  problem. 

Consider  the  scenario  shown  in  Figure  2.  Say  that  originally  intruders  arc  creating  a 
wormhole  between  nodes  A  and  M.  To  the  network,  it  seems  that  nodes  A  and  M  are 
direct  neighbours,  and  the  link  between  them  is  evaluated  using  a  link  rating  system. 
When  the  rating  system  determines  the  link  A-M  to  be  lossy,  it  avoids  it  -  which  can  be 
detected  by  the  attackers.  They  can  then  simply  move  on:  create  a  fake  link  between, 
say,  nodes  B  and  L,  or  even  B  and  M.  Since  the  methods  proposed  in  [14]  and  [15]  do 
not  differentiate  between  poorly  performing  links  and  wormhole  intruders,  discovery  of 
a  bad  link  between  A  and  M  does  not  trigger  a  security  investigation,  and  the  attackers 
can  thus  indefinitely  continue  to  disrupt  the  network. 


2.4  Specialized  techniques 

A  wide  variety  of  wormhole  attack  mitigation  techniques  have  been  proposed  for 
specific  kinds  of  networks:  sensor  networks,  static  networks,  or  networks  where  nodes 
use  directional  antennas.  In  this  section,  we  describe  and  discuss  such  techniques, 
commenting  on  their  usability  and  the  possibility  of  their  use  in  general  mobile 
MANETs. 
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Figure  2:  When  a  wormhole  is  treated  as  a  misbehaving  link,  attackers  are  not  detected  and  can  create  wormhole 

attacks  targeting  other  nodes  on  the  network. 


2.4.1  Nodes  with  directional  antennas 

Directional  antennas  have  been  extensively  studied  in  the  general  literature 
[16].  When  directional  antennas  arc  used,  nodes  use  specific  ‘sectors’  of  their 
antennas  to  communicate  with  each  other,  as  shown  in  Figure  3.  Therefore,  a 
node  receiving  a  message  from  its  neighbour  has  some  information  about  the 
location  of  that  neighbour,  -  it  knows  the  relative  orientation  of  the  neighbour 
with  respect  to  itself,  as  demonstrated  in  Figure  3.  This  extra  bit  of 
information  makes  wormhole  discovery  much  easier  than  in  networks  with 
exclusively  omni-directional  antennas. 

In  [16],  Hu  and  Evans  propose  a  solution  to  wormhole  attacks  for  ad  hoc 
networks  in  which  all  nodes  arc  equipped  with  directional  antennas. 
Wormholes  introduce  substantial  inconsistencies  in  the  network,  and  can 
easily  be  detected.  In  SERLOC  [17],  Lazos  et  al  use  a  slightly  different 
approach.  In  SERLOC,  only  a  few  nodes  need  to  be  equipped  with  directional 
antennas,  but  these  nodes  also  have  to  be  location-aware.  These  nodes  then 
send  out  localization  beacons,  based  on  which  regular  network  nodes 
determine  their  own  relative  location. 

The  methods  proposed  by  Hu  [16]  and  Lazos  [17]  arc  both  viable,  and  could 
be  easily  applied  to  networks  that  use  directional  antennas.  Currently,  such 
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Figure  3:  Nodes  using  directional  antennas.  When  nodes  A  and  B  communicate,  they  send  their  messages  on 
specific  ‘sectors':  node  A  uses  its  North-  East  sector,  node  B  -  South-West.  Therefore  both  nodes  know  how  they 
are  located  with  respect  to  each  other.  From  knowing  the  sector  on  which  it  receives  B’s  messages,  A  knows  that  B 
is  located  to  the  North-East.  Had  nodes  A  and  B  used  omni-directional  antennas,  A  would  not  be  able  to  say 

anything  at  all  about  B's  location. 


networks  are  mostly  in  research  stage,  and  their  future  prominence  is  not  clear. 

2.4.2  Sensor  networks:  network  visualization 

Wang  and  Bhargava  [18]  introduce  an  approach  in  which  network 
visualization  is  used  for  discovery  of  wormhole  attacks  in  stationary  sensor 
networks.  In  their  approach,  each  sensor  estimates  the  distance  to  its 
neighbours  using  the  received  signal  strength.  During  the  initial  sensor 
deployment,  all  sensors  send  this  distance  information  to  the  central 
controller,  which  calculates  the  network’s  physical  topology  based  on 
individual  sensor  distance  measurements.  With  no  wormholes  present,  the 
network  topology  should  be  more  or  less  flat,  while  a  wormhole  would  be 
seen  as  a  ‘string’  pulling  different  ends  of  the  network  together. 

Wang’s  approach  [18]  has  several  aspects  that  may  limit  its  applicability  to 
general  ad  hoc  networks.  Wang  assumes  a  dense  sensor  network  of  a  polygon 
shape  deployed  on  a  flat  surface,  -  an  assumption  perhaps  justified  for  sensor 
networks,  but  not  practical  for  ad  hoc  networks.  For  sparsely  located  ad  hoc 
network  nodes,  the  estimated  physical  topology  may  not  be  precise.  Also,  this 
method  requires  a  central  controller,  and  thus  not  readily  suitable  for 
decentralized  networks.  Finally,  while  this  method  should,  theoretically,  be 
extendable  to  mobile  networks,  Wang  does  not  study  how  node  mobility 
would  affect  the  results. 
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Overall,  Wang’s  method  requires  more  research  to  be  applicable  to  sparse, 
decentralized,  or  mobile  ad  hoc  networks,  but  seems  promising. 

2.4.3  Sensor  networks:  use  of  location-aware  guards 

Lazos  et  al  [19]  develop  a  ‘graph-theoretical’  approach  to  wormhole  attack 
prevention  based  on  the  use  of  Location-Aware  ‘Guard’  Nodes4  (LAGNs). 

In  [19],  Lazos  uses  ‘local  broadcast  keys’  -  keys  valid  only  between  one-hop 
neighbours  -  to  defy  wormhole  attackers:  a  message  encrypted  with  a  local 
key  at  one  end  of  the  network  can  not  be  decrypted  at  another  end.  However, 
the  establishment  of  such  keys  is  non-trivial  in  the  possible  presence  of 
wormholes.  Lazos  proposes  to  use  hashed  messages  from  LAGNs  to  detect 
wormholes  during  the  key  establishment.  LAGNs  arc  assumed  to  be  trusted, 
and,  since  their  location  is  known,  a  node  can  detect  certain  inconsistencies  in 
messages  from  different  LAGNs  if  a  wormhole  is  present.  Without  a 
wormhole,  a  node  should  not  be  able  to  hear  two  LAGNs  that  arc  far  from 
each  other,  and  should  not  be  able  to  hear  the  same  message  from  one  guard 
twice.  Use  of  LAGNs,  in  essence,  allows  the  nodes  not  equipped  with  GPS 
devices  to  perceive  network  irregularities  a  wormhole  introduces,  and  to  get 
some  idea  about  their  relative  position  in  space. 

Lazos’s  method  [19]  is  elegant.  However,  it  seems  more  suitable  for  dense 
stationary  sensor  networks  than  for  mobile  ad  hoc  networks5.  For  example, 
LAGNs  in  this  scheme  arc  assumed  to  have  longer  communication  range  than 
regular  network  nodes,  -  a  good  assumption  for  sensor  networks  (i.e.  where 
sensor  motes  arc  regular  nodes,  laptops  arc  LAGNs),  but  not  usually  available 
with  mobile  ad  hoc  networks.  Also,  the  assumption  of  trusted  LAGNs  is 
better  justified  for  sensor  networks  (where  controllers  can  act  as  LAGNs)  than 
for  standard  ad  hoc  networks.  Nonetheless,  Lazos'  method  is  relatively 
lightweight,  and  may  hold  promise  sensor  networks  and  for  particular  types  of 
non-sensor  ad  hoc  networks6  . 

2.4.4  Stationary  networks:  LiteWorp 

Khalil  et  al  [20]  propose  a  protocol  for  wormhole  attack  discovery  in  static 
networks  they  call  LiteWorp.  In  LiteWorp,  once  deployed,  nodes  obtain  full 
two-hop  routing  information  from  their  neighbours.  While  in  a  standard  ad 
hoc  routing  protocol  nodes  usually  keep  track  of  who  their  neighbours  arc,  in 
LiteWorp  they  also  know  who  the  neighbours’  neighbours  arc,  -  they  can  take 

4As  we’ve  explained  above,  Lazos  also  worked  on  a  wormhole-resistant  localization  scheme  for  sensor  networks 
[17],  from  which  this  wormhole  attack  prevention  technique  seem  to  directly  follow 

5  In  the  paper.  Lazos  proposes  it  for  ad  hoc  networks,  but  we  feel  it  is  more  suitable  for  sensor  networks 
6While  the  need  for  specialized  high-range  location-aware  ‘guards’  is  probably  limiting  for  emergency  and  tac¬ 
tical  operations,  it  may  be  suitable  for  a  mixed  wired/wireless  networks  (i.e.  office  networks,  rooftop,  etc.)  where 
stationary  high-power  wireless  access  points  may  serve  as  LANGs 
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advantage  of  two-hop,  rather  than  one-hop,  neighbour  information.  This 
information  can  be  exploited  to  detect  wormhole  attacks7. 

After  authentication,  nodes  do  not  accept  messages  from  those  they  did  not 
originally  register  as  neighbours.  Also,  nodes  observe  their  neighbours’ 
behaviour  to  determine  whether  data  packets  arc  being  properly  forwarder  by 
the  neighbour,  -  a  so-called  ‘watchdog’  approach.  LiteWoip  adds  an 
interesting  wormhole-specific  twist  to  the  standard  watchdog  behaviour: 
nodes  not  only  verify  that  all  packets  arc  forwarded  properly,  but  also  make 
sure  that  no  node  is  sending  packets  it  did  not  receive  (as  would  be  the  case 
with  a  wormhole) 

LiteWoip  is,  no  doubt,  interesting,  but  would  not  work  at  all  in  a  scenario 
where  node  mobility  is  a  factor.  Since  node’s  neighbours  arc  determined  and 
detected  only  once  in  LiteWoip,  and  the  packets  from  non-neighbouring 
nodes  arc  rejected,  no  node  movement  is  allowable.  Therefore,  LiteWoip  is 
applicable  to  static  networks  only8. 

Overall,  while  this  protocols  is  interesting,  it  does  not  seem  practical. 

2.4.5  Networks  with  on-demand  multipath  routing:  a  statistical  analysis 
approach 

Song  et  al  [21]  approach  the  wormhole  attack  from  a  different  angle.  Song 
proposes  a  wormhole  discovery  mechanism  based  on  statistical  analysis  of 
multipath  routing.  Song  observes  that  a  link  created  by  a  wormhole  is  very 
attractive  in  routing  sense,  and  will  be  selected  and  requested  (for  routing) 
with  unnaturally  high  frequency.  This  unusual  route  selection  frequency  can 
be  statistically  detected  and  used  to  identify  wormhole  links.  Such  statistical 
analysis  approach  is  fundamentally  different  from  the  majority  of  others 
where,  in  general,  wormhole  detection  is  related  to  locating  a  node  in  absolute 
or  relative  terms  (based  on  network  topology,  time  of  packet  transmission, 
GPS  coordinates,  with  respect  to  GPS-aware  nodes,  etc). 

Song’s  method  requires  neither  special  hardware  nor  any  changes  to  existing 
routing  protocols.  In  fact,  it  does  not  even  require  aggregation  of  any  special 
information,  as  it  only  uses  routing  data  already  available  to  a  node.  These 
factors  allow  for  easy  integration  of  this  method  into  intrusion  detection 
systems. 

However,  Song’s  method  is  somewhat  limited  in  scope  as  it  applies  only  to 
routing  protocols  that  are  both  on-demand  and  multipath.  Non-multipath 
on-demand  protocols  do  not  provide  enough  information  for  the 

7To  exploit  this  data  fully,  LiteWorp  packets  not  only  include  'sender'  information,  but  also  ’previous  hop' 
information,  rarely  found  in  other  routing  protocols 

sNote,  that  for  purely  static  networks  there  is  also  a  trivial  solution  to  wormhole  attacks:  static  routing 
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determination  of  link  frequencies.  While  on-demand  routing  protocols  keep 
complete  information  about  routes  they  discover,  proactive  ones  rely  on 
next-hop  information,  which  does  not  allow  the  calculation  of  link 
frequencies.  Nonetheless,  within  its  scope  Song’s  method  is  very  interesting, 
and  could  be  integrated  in  a  real-world  system  with  little  effort. 

3.  Discussion  and  summary 


Wormhole  attacks,  in  which  adversaries  tunnel  network  data  from  one  end  of  the 
network  to  another  using  an  off-channel  link,  are  a  severe  routing  security  concern  in 
mobile  wireless  ad  hoc  networks.  Wormhole  attacks  can  not  be  prevented  by 
cryptographic  measures  as  in  a  wormhole  attack  they  attackers  do  not  create  any 
packets  themselves,  but  simply  forward  the  packets  they  hear  coming  from  valid 
network  nodes. 

Possible  solutions  to  wormhole  attacks  proposed  by  different  researchers  arc  discussed 
in  our  report.  In  the  previous  sections,  we  described  and  discussed  all  major  proposed 
solutions  to  wormhole  attacks.  Brief  summary  of  all  approaches  described  in  the 
previous  section  is  provided  in  Table  1 . 

Several  researchers  use  distance-bounding  techniques  to  detect  network  packets  that 
travel  distances  beyond  radio  range,  thus  preventing  packets  that  have  gone  through  the 
wormhole  from  being  accepted.  However,  majority  of  these  techniques  rely  on 
specialized  hardware,  and  may  not  be  practical.  Of  distance-bounding  techniques, 
GPS-based  ones  arc  particularly  interesting,  as,  of  the  specialized  hardware  proposed  to 
combat  wormhole  attacks,  GPS  is  perhaps  the  most  general  in  purpose,  most  available 
currently,  and  overall  most  promising.  The  effectiveness  of  GPS-based  wormhole 
attack  solution  is  intuitively  solid:  a  packet  can  not  travel  to  another  end  of  the  network 
undetected  if  all  nodes  know  precisely  where  they  arc  located  and  where  their 
neighbours  are.  Unfortunately,  GPS-based  wormhole  combatting  techniques  inherit  the 
limitations  of  GPS  technology.  They  can  not  be  used  where  GPS  does  not  work 
(underwater,  inside  buildings,  caves,  etc.),  or  in  small  sensor  networks!  due  to  the 
resolution  of  GPS  devices). 

Nonetheless,  GPS-based  techniques  arc  interesting,  particularly  for  military  or 
emergency  situations,  where  GPS  devices  could  be  used  for  location  awareness 
purposes,  and  could  be  added  to  network  routing  without  any  additional  costs. 

Network  visualization  technique  presented  in  [18]  for  dense  sensor  networks  does  not 
require  special  hardware,  and  appeal's  to  be  very  interesting.  In  this  technique,  each 
node  reports  its  perceived  distance  to  its  neighbours  to  a  centralized  controller.  Based 
on  the  data  collected  from  network  nodes,  the  controller  calculates  the  estimation  of 
network’s  physical  topology,  to  which  a  wormhole,  in  certain  scenarios,  introduces 
impossibilities.  It  would  be  very  interesting  to  study  how  this  technique  performs  on 
networks  that  are  mobile  and  not  dense.  Most  likely,  the  technique  will  still  work,  but 
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perhaps  with  reduces  accuracy  and  higher  false  alarm  rate.  If  that  is  the  case,  with  the 
use  of  mobile  agents  for  network  visualization  instead  of  the  central  controller  this 
technique  could  be  applied  to  general  MANETs  rather  than  to  sensor  networks  only. 

Finally,  the  last  technique  we  found  particularly  interesting  is  the  one  based  on 
anomalous  frequency  of  route  selection  when  wormholes  are  present  on  a  network  [21]. 
This  technique,  although  it  applies  to  multipath  on-demand  protocols  only,  is 
interesting  because  it  is  lightweight  and,  unlike  many  others,  can  be  easily  and 
immediately  integrated  into  a  MANET  Intrusion  Detection  System  (IDS).  In  essence, 
this  technique  is  akin  to  those  employed  by  IDS  systems  in  wired  networks  (for 
example,  on  a  wired  network  a  port  scan  can  be  detected  by  observing  high  and 
abnormal  rate  of  port  requests),  and  could  potentially  be  useful. 

Overall,  a  significant  amount  of  work  has  been  done  on  solving  wormhole  attack 
problem.  A  standard  solution  is  still  lacking,  although  several  very  useful  solutions 
applicable  to  some  networks  have  been  described. 


9These  approaches  rely  on  a  node  immediately  answering  a  challenge  message  ,  which  is  not  possible  with 
standard  wireless  MAC  (such  as  802.1 1).  It  is  most  likely  that  enabling  immediate  replies  to  messages  will  require 
specialized  hardware  rather  than  standard  wireless  cards 


14 


DRDC  Ottawa  CR  2006-165 


Table  1:  Summary  of  wormhole  discovery  methods 


Method 

Requirements 

Commentary 

Packet  leashes,  geographi¬ 
cal  ([7]) 

GPS  coordinates  of  ev¬ 
ery  node;  Loosely  synchro¬ 
nized  clocks  (ms) 

Robust,  straightforward  so¬ 
lution;  inherits  general  lim¬ 
itations  of  GPS  technology 

Packet  leashes,  temporal 
([7]) 

Tightly  synchronized 

clocks  (ns) 

Impractical;  required  time 
synchronization  level  not 
currently  achievable  in  to 
sensor  networks 

Packet  leashes,  end-to-end 
([8]) 

GPS  coordinates;  Loosely 
synchronized  clocks  (ms) 

Inherits  limitations  of  GPS 
technology 

Time  of  flight  ([9],  [10], 
[11],  [12]) 

Hardware  enabling  one -bit 
messages  and  immedi¬ 
ate  replies  without  CPU 
involvement  ([9]);  Not 
clear9([10],[l  1],  [12]) 

Impractical;  likely  to  re¬ 
quire  MAC-layer  modifica¬ 
tions 

Wormhole  as  a  misbehav¬ 
ing  link  ([14],  [15]) 

none 

Addresses  packet  loss,  but 
does  not  fully  address  or 
prevent  wormholes  in  gen¬ 
eral 

Directional  antennas  ([16], 
[17]) 

Directional  antennas  on  all 
nodes  ([16])  or  several 
nodes  with  both  GPS  and 
directional  antennas  ([17]) 

Good  solutions  for  net¬ 
works  relying  on  direc¬ 
tional  antennas,  but  not  di¬ 
rectly  applicable  to  other 
networks 

Network  visualization  [18] 

Centralized  controller 

Seems  promising;  Works 
best  on  dense  networks; 
Mobility  not  studied;  Var¬ 
ied  terrains  not  studied 

Localization[19] 

Location-aware  'guard’ 

nodes 

Good  solution  for  sensor 
networks;  Not  readily  ap¬ 
plicable  to  mobile  networks 

LiteWorp  [20] 

none 

Applicable  only  to  static 
stationary  networks;  Im¬ 
practical 

Statistical  analysis  [21] 

no  requirements 

Works  only  with  multi-path 
on-demand  protocols; 
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